Saturday, October 6, 2012

Anti-Virus Software is Snake-Oil

Something that irritates me to no end in the computer age are snake-oil hucksters who produce software that provides almost no value to the customer and does nothing but to line the pockets of the entity producing the software. AV software is probably the most salient example of this.

In case it isn't obvious, AV software has been an utter failure over the past two decades.  Various studies of popular AV products have shown that the detection rates are dismal.  According to research, simple proof of this fact is that anywhere from 40-90% of Windows machines have malware on them and most of these machines are running some sort of AV software.  If AV software were truly effective, we should not see anywhere even close to a 40% infection rate.

Perhaps the most vexing thing about the whole matter is most of these companies herald their products as a one-stop solution for all your security needs.  This gives the average consumer the notion that if they only installed AV product X or Y that their security issues would be solved and they would be immune to all malware.

I remember once long ago when I was a Windows user that I called my ISP's tech support (I don't recall why now).  The guy on the other end of the phone told me to first run a virus scan to ensure that malware wasn't causing the issue.  I knew this was not my issue and told him why.

Why Signature Detection Is Flawed

For one, AV software doesn't ensure anything.  AV software uses what's known as a blacklist approach.  That is, these companies seek out malware and then make a hash of that malware (also known as a "signature").  They then push these hash values to your machine and then check the disk for any file that matches any of the hash values in the database.

Anyone who is familiar with how hash functions work will immediately see why this is an utterly flawed approach.  All it takes to change the hash value of any file is to change a single bit in the file.  That is, you could have a file 100 GB in size (that is 800 billion bits) but if you change only one *bit* of that file, the hash value will completely change.  Therefore, it is trivial for an attacker to change his code to avoid the databases.  Indeed, he doesn't even have to change the code at all, but can merely change a comment in the code.  This is enough to change the hash value of his compiled binary completely.

For this reason, some signature techniques don't hash the whole binary, but will take hash values of snippets of the decompiled code within the binary.  This will stop the technique of merely altering one bit in the code to avoid detection.  However, it won't stop the author from rewriting his functions or altering them enough to change the hash value.  Thus, it is essentially the same problem.

Of course, the anti-virus companies realized this and changed their methods of detection.  They invented something they call "heuristic analysis" which is supposed to allow them to detect malware regardless of its hash signature.
One typical method of heuristics is to decompile the binary and then compare the source code with known malware samples.  If a certain percentage of the code matches known malware, it will flag it.  The problem is while this might work a certain percentage of the time, it is prone to lots of false positives and is trivial to circumvent by any decent coder (again, rewriting functions in the code or using encryption, etc.)


Rootkits can disable AV software all together.  A rootkit, by definition has root access; that is, it is running at ring 0 and is all powerful.  If you have a rootkit, the *only* course of action is to wipe the disk and reinstall the OS.  Anyone who tells you otherwise is an idiot.

Really, rootkits are nothing new.  They have been around on Unix systems for decades.  The buzzword only got popular on Windows about six or seven years ago when Vista came out with UAC.  It wasn't until Vista that most Windows users had ever heard of the notion of privilege separation and user accounts (XP had the ability but no one used it since it was disabled by default).

Unix systems have been using this paradigm for over 30 years.  Thus on Unix if something has full system access (superuser access) it has "root."  A rootkit is malicious code an attacker uses once he has already compromised the machine in some other way.  He then installs the rootkit in order to cover his tracks, delete log files, hide processes, etc. It's essentially an automated way for him to retain his root access once he logs out of the machine.

In the old days of Windows, there was no such thing as a limited user and a superuser -- everything ran as a superuser all the time.  (This was one reason Windows security was so horrible for so long).  Therefore, since there was no separation of privileges in the first place, any piece of malware you picked up was running with full system privileges.  Thus pretty much everything was a rootkit on Windows (though not everything tried to hide).  AV vendors have reinvented the term "rootkit" for Windows just so they can invent a new threat (a threat that has long existed and is not new, even on Windows).  Their intention, of course, is to scare consumers that there is some new bogey man out there.

Whitelisting vs Blacklisting

Even if it were possible to reliably detect all known and existing malware samples with 100% accuracy (it's not as tests of AV software proves), we still have the problem that the overall philosophy of AV software involves blacklisting.  That is, the malware detectors will always be behind the curve because there will always be a new sample to blacklist.  The malware authors have an inherit advantage because they get to act first.  This is why you can never be sure that just because your AV software says you're clean means it's true.  Blacklisting is a fundamentally flawed approach.

A better solution is a whitelisting approach -- that is, one makes a policy on the machine what software can run and then he by default denies everything else (this is much like using the NoScript plugin for Firefox except using it system wide).  Windows comes with this ability via it's Applocker mechanism, though it is not widely used or even known about.  Other solutions on Windows are various so-called "HIPS" programs which do essentially the same thing.

If you must use Windows and that machine must be connected to the Internet, I recommend using a limited user account, setting up a whitelist policy with Applocker and turning on full ASLR/DEP.  These solutions are much more effective than any AV solution and can all be done for free. Of course, the best solution is to ditch Windows all together. ;)

The Bottom Line

One can take a quick look at the net worth of companies like Symantec, McAfee or Kaspersky and see just how successful they have been pushing their snake-oil.  Think about it, if their products worked, they would not be worth billions.  Security is one industry where if the techniques actually worked, there would be no business.

No, instead these companies keep customers sucked in by forcing them to pay for new updates to catch new malware in a never ending cycle of insanity (you know, doing the same thing over and over and expecting different results).

Paradoxically, these companies scream and complain any time Microsoft makes changes to Windows to lock it down (such as with PatchGuard) or when Microsoft introduces its own security tools and bundles them with Windows.  This undoubtedly helps with the security of Windows, but the AV companies don't care about overall security, they only care about being able to peddle their products without Microsoft's pesky interference or competition.

This is an unfortunate testament to the ignorance of the average Windows user. I don't blame the user, as I don't expect every computer user to be a computer science major.  The best thing the average user can do is be informed of techniques that do work (at least to a degree) and avoid wasting money.  AV software is an utter waste of money.  But for that matter, so is Windows when there are much better free alternatives.


  1. Great post! I am sure many will get interested with this "software companies" Thanks for sharing this post. I learned a lot. Keep posting!

  2. Wow that was great , Thanks a lot for enlightening the atmosphere


  3. Ich schätze Ihren Artikel wirklich. Der Beitrag hat hervorragende Tipps, die nützlich sind. Dieser Beitrag ist gut in Bezug auf beideWissen sowie Informationen.
    online kaufen